Merged
Conversation
Issue: 6693 Add bitmask support to byte_jump - Parse - Calculate shift count - Apply to value before applying multiplier - Order items in DetectBytejumpData to reduce holes. Snort: See https://github.com/chenkc/snort2.9/blob/master/snort-2.9.11.1/src/detection-plugins/sp_byte_jump.c#L780
Issue: 6693 Clarify how the bitmask value is used for byte_jump Snort compatibility says: - The bitmask value is applied to the extracted value before the multiplier is applied. - The result of the bitmask operation is to be right shifted by the number of trailing 0's in the bitmask value.
Ticket: 8255
Ticket: 8255
Ticket: 8255
Ticket: 8255
Ticket: 8255
refs OISF#3065 * Fix to support the date format below => tls_cert_notafter:[<|>]YYYY
refs OISF#3065 * add explanation on omitted values
The parser could receive an input that consists of arbitrary data post gap. This is handled in the beginning of the fn handle_input_data. However, the rest of the calculation does not take into account the bytes that were consumed at this stage. Fix the indices and calculations to consider a new DCERPC fragment beginning post these consumed bytes.
So far, the fraglen defined in the header was used inconsistently in certain places to define bounds on input length. Make it consistent by making sure that only a slice up until fraglen is passed around as that is the maximum length the fragment should have. With the help of Applayer::incomplete API, the case when the stream_slice passed to the parser is smaller than the header defined fraglen is already handled. Bug 7546
Unittests test_parse_bind_pdu_infinite_loop and test_parse_bindack_pdu_infinite_loop seem to have artificially made up header which does not hold up to the strict calculations enforced by the parser now. Their headers mark the fraglens as 64 and 72 respectively which are not enough to hold the kind of bind(ack) items that are expected. It worked so far as the parser passed the entire input slice around but with the bugfix for issue 7546, the input passed around is strictly restricted to the fraglen parsed in the header. Bug 7546
Probably a duplicate typo
…ds doc Redmine ticket: OISF#8261 According to [1], the within pointer (if combined with distance) includes the distance pointer, which is not clearly visible in the graphic. Fixed this in a new graphic by some GIMP arts. PS: Special thanks to one of our team members Annika C. for initially spotting this! [1] https://forum.suricata.io/t/is-within-affected-by-distance/1688
victorjulien
requested review from
a team,
catenacyber,
jasonish and
jufajardini
as code owners
|
NOTE: This PR may contain new authors. |
catenacyber
approved these changes
Feb 4, 2026
Contributor
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
Good staging, good SV, waiting for CI+QA
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #14750 +/- ##
==========================================
- Coverage 82.17% 82.15% -0.02%
==========================================
Files 1008 1003 -5
Lines 263938 263643 -295
==========================================
- Hits 216878 216586 -292
+ Misses 47060 47057 -3
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: QA ran without warnings. Pipeline = 29411 |
jasonish
approved these changes
Feb 4, 2026
This was referenced Feb 4, 2026
Closed
This was referenced Feb 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Staging:
SV_BRANCH=OISF/suricata-verify#2902